JIRA: https://issues.redhat.com/browse/RHEL-102233
CVE: CVE-2025-38079
commit b2df03ed4052e97126267e8c13ad4204ea6ba9b6
Author: Ivan Pravdin <ipravdin.official@gmail.com>
Date: Sun May 18 18:41:02 2025 -0400
crypto: algif_hash - fix double free in hash_accept
If accept(2) is called on socket type algif_hash with
MSG_MORE flag set and crypto_ahash_import fails,
sk2 is freed. However, it is also freed in af_alg_release,
leading to slab-use-after-free error.
Fixes: fe869cdb89 ("crypto: algif_hash - User-space interface for hash operations")
Cc: <stable@vger.kernel.org>
Signed-off-by: Ivan Pravdin <ipravdin.official@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-83268
Conflicts:
crypto/crypto_engine.c code change in crypto_pump_requests
Different name of variable due to different order of kernel
backports. Upstream commit e5e7eb023f24 (crypto: engine - Move
crypto_engine_ops from request into crypto_alg) was merged
without backporting this patch.
commit bcd6e41d983621954dfc3f1f64249a55838b3e6a
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Sun, 13 Aug 2023 14:54:32 +0800
The callbacks for prepare and unprepare request in crypto_engine
is superfluous. They can be done directly from do_one_request.
Move the code into do_one_request and remove the unused callbacks.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Marcin Juszkiewicz <mjuszkiewicz@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-72531
JIRA: https://issues.redhat.com/browse/RHEL-59967
Separate out the HKDF functions into a separate module to
to make them available to other callers.
And add a testsuite to the module with test vectors
from RFC 5869 (and additional vectors for SHA384 and SHA512)
to ensure the integrity of the algorithm.
Signed-off-by: Hannes Reinecke <hare@kernel.org>
Acked-by: Eric Biggers <ebiggers@kernel.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Keith Busch <kbusch@kernel.org>
(cherry picked from commit 3241cd0c6c17919b5b984c6b770ced3d797ddc4c)
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6514
JIRA: https://issues.redhat.com/browse/RHEL-81929
commit 747ae81883d21595b162cc40523a982024700fed
Author: Joachim Vandersmissen <git@jvdsn.com>
Date: Sun May 12 23:55:07 2024 -0500
certs: Add ECDSA signature verification self-test
Commit c27b2d2012e1 ("crypto: testmgr - allow ecdsa-nist-p256 and -p384
in FIPS mode") enabled support for ECDSA in crypto/testmgr.c. The
PKCS#7 signature verification API builds upon the KCAPI primitives to
perform its high-level operations. Therefore, this change in testmgr.c
also allows ECDSA to be used by the PKCS#7 signature verification API
(in FIPS mode).
However, from a FIPS perspective, the PKCS#7 signature verification API
is a distinct "service" from the KCAPI primitives. This is because the
PKCS#7 API performs a "full" signature verification, which consists of
both hashing the data to be verified, and the public key operation.
On the other hand, the KCAPI primitive does not perform this hashing
step - it accepts pre-hashed data from the caller and only performs the
public key operation.
For this reason, the ECDSA self-tests in crypto/testmgr.c are not
sufficient to cover ECDSA signature verification offered by the PKCS#7
API. This is reflected by the self-test already present in this file
for RSA PKCS#1 v1.5 signature verification.
The solution is simply to add a second self-test here for ECDSA. P-256
with SHA-256 hashing was chosen as those parameters should remain
FIPS-approved for the foreseeable future, while keeping the performance
impact to a minimum. The ECDSA certificate and PKCS#7 signed data was
generated using OpenSSL. The input data is identical to the input data
for the existing RSA self-test.
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
Approved-by: Vladis Dronov <vdronov@redhat.com>
Approved-by: Coiby Xu <coxu@redhat.com>
Approved-by: Clemens Lang <cllang@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
Merged-by: Augusto Caringi <acaringi@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-83988
commit 20238d49448cdb406da2b9bd3e50f892b26da318
Author: Dr. David Alan Gilbert <linux@treblig.org>
Date: Sun Sep 29 14:21:48 2024 +0100
async_xor: Remove unused 'async_xor_val'
async_xor_val has been unused since commit
a7c224a820 ("md/raid5: convert to new xor compution interface")
Remove it.
Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-81929
commit 747ae81883d21595b162cc40523a982024700fed
Author: Joachim Vandersmissen <git@jvdsn.com>
Date: Sun May 12 23:55:07 2024 -0500
certs: Add ECDSA signature verification self-test
Commit c27b2d2012e1 ("crypto: testmgr - allow ecdsa-nist-p256 and -p384
in FIPS mode") enabled support for ECDSA in crypto/testmgr.c. The
PKCS#7 signature verification API builds upon the KCAPI primitives to
perform its high-level operations. Therefore, this change in testmgr.c
also allows ECDSA to be used by the PKCS#7 signature verification API
(in FIPS mode).
However, from a FIPS perspective, the PKCS#7 signature verification API
is a distinct "service" from the KCAPI primitives. This is because the
PKCS#7 API performs a "full" signature verification, which consists of
both hashing the data to be verified, and the public key operation.
On the other hand, the KCAPI primitive does not perform this hashing
step - it accepts pre-hashed data from the caller and only performs the
public key operation.
For this reason, the ECDSA self-tests in crypto/testmgr.c are not
sufficient to cover ECDSA signature verification offered by the PKCS#7
API. This is reflected by the self-test already present in this file
for RSA PKCS#1 v1.5 signature verification.
The solution is simply to add a second self-test here for ECDSA. P-256
with SHA-256 hashing was chosen as those parameters should remain
FIPS-approved for the foreseeable future, while keeping the performance
impact to a minimum. The ECDSA certificate and PKCS#7 signed data was
generated using OpenSSL. The input data is identical to the input data
for the existing RSA self-test.
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-81929
commit 8cd9f234f7066a783bb8beab8f25f9e31d878e17
Author: Joachim Vandersmissen <git@jvdsn.com>
Date: Sun May 12 23:55:06 2024 -0500
certs: Move RSA self-test data to separate file
In preparation of adding new ECDSA self-tests, the existing data for
the RSA self-tests is moved to a separate file. This file is only
compiled if the new CONFIG_FIPS_SIGNATURE_SELFTEST_RSA configuration
option is set, which ensures that the required dependencies (RSA,
SHA-256) are present. Otherwise, the kernel would panic when trying to
execute the self-test.
The introduction of this new option, rather than adding the
dependencies to the existing CONFIG_FIPS_SIGNATURE_SELFTEST option,
allows for additional self-tests to be added for different algorithms.
The kernel can then be configured to only execute the self-tests for
those algorithms that are included.
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-81929
commit 04a93202ed7c3b451bf22d3ff4bcd379df27f299
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Mon Oct 16 13:21:44 2023 +0800
certs: Break circular dependency when selftest is modular
The modular build fails because the self-test code depends on pkcs7
which in turn depends on x509 which contains the self-test.
Split the self-test out into its own module to break the cycle.
Fixes: 3cde3174eb91 ("certs: Add FIPS selftests")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-81929
commit 0f5d4a0b995faa6537c4de79973817a4f8da206a
Author: Arnd Bergmann <arnd@arndb.de>
Date: Thu Dec 15 18:02:52 2022 +0100
crypto: certs: fix FIPS selftest dependency
The selftest code is built into the x509_key_parser module, and depends
on the pkcs7_message_parser module, which in turn has a dependency on
the key parser, creating a dependency loop and a resulting link
failure when the pkcs7 code is a loadable module:
ld: crypto/asymmetric_keys/selftest.o: in function `fips_signature_selftest':
crypto/asymmetric_keys/selftest.c:205: undefined reference to `pkcs7_parse_message'
ld: crypto/asymmetric_keys/selftest.c:209: undefined reference to `pkcs7_supply_detached_data'
ld: crypto/asymmetric_keys/selftest.c:211: undefined reference to `pkcs7_verify'
ld: crypto/asymmetric_keys/selftest.c:215: undefined reference to `pkcs7_validate_trust'
ld: crypto/asymmetric_keys/selftest.c:219: undefined reference to `pkcs7_free_message'
Avoid this by only allowing the selftest to be enabled when either
both parts are loadable modules, or both are built-in.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-81929
commit a4aed36ed5924a05ecfadc470584188bfba2b928
Author: Stefan Berger <stefanb@linux.ibm.com>
Date: Tue Jun 29 17:34:21 2021 -0400
certs: Add support for using elliptic curve keys for signing modules
Add support for using elliptic curve keys for signing modules. It uses
a NIST P384 (secp384r1) key if the user chooses an elliptic curve key
and will have ECDSA support built into the kernel.
Note: A developer choosing an ECDSA key for signing modules should still
delete the signing key (rm certs/signing_key.*) when building an older
version of a kernel that only supports RSA keys. Unless kbuild automati-
cally detects and generates a new kernel module key, ECDSA-signed kernel
modules will fail signature verification.
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-78983
CVE: CVE-2024-56690
Upstream Status: linux.git
commit 662f2f13e66d3883b9238b0b96b17886179e60e2
Author: Yi Yang <yiyang13@huawei.com>
Date: Tue Oct 15 02:09:35 2024 +0000
crypto: pcrypt - Call crypto layer directly when padata_do_parallel() return -EBUSY
Since commit 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for
PADATA_RESET"), the pcrypt encryption and decryption operations return
-EAGAIN when the CPU goes online or offline. In alg_test(), a WARN is
generated when pcrypt_aead_decrypt() or pcrypt_aead_encrypt() returns
-EAGAIN, the unnecessary panic will occur when panic_on_warn set 1.
Fix this issue by calling crypto layer directly without parallelization
in that case.
Fixes: 8f4f68e788c3 ("crypto: pcrypt - Fix hungtask for PADATA_RESET")
Signed-off-by: Yi Yang <yiyang13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6000
JIRA: https://issues.redhat.com/browse/RHEL-68420
Upstream Status: RHEL only
When the iov_iter change was added the EFAULT handling became
broken. Fix it by checking that copy_to_iter copied the correct
number of bytes.
Also make sure that a failure in crypto_rng_get_bytes does not
cause previous bytes to be discarded.
Finally update the scheduling code per get_random_bytes_user.
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
Approved-by: Vladis Dronov <vdronov@redhat.com>
Approved-by: Phil Auld <pauld@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>
Merged-by: Rado Vrbovsky <rvrbovsk@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-68420
Upstream Status: RHEL only
When the iov_iter change was added the EFAULT handling became
broken. Fix it by checking that copy_to_iter copied the correct
number of bytes.
Also make sure that a failure in crypto_rng_get_bytes does not
cause previous bytes to be discarded.
Finally update the scheduling code per get_random_bytes_user.
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-64867
Conflicts: RHEL is missing commit 1ded5e5a5931 ("net: annotate
data-races around sock->ops"), which accounts for the differences in
ops structure dereferencing.
commit 92ef0fd55ac80dfc2e4654edfe5d1ddfa6e070fe
Author: Jens Axboe <axboe@kernel.dk>
Date: Thu May 9 09:20:08 2024 -0600
net: change proto and proto_ops accept type
Rather than pass in flags, error pointer, and whether this is a kernel
invocation or not, add a struct proto_accept_arg struct as the argument.
This then holds all of these arguments, and prepares accept for being
able to pass back more information.
No functional changes in this patch.
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-52747
Upstream Status: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Conflicts: Replicated changes in crypto/asymmetric_keys/asym_tpm.c due to missing d3cff4a95e
commit e1b72e1b11109bd81577950538a17bc0428e647f
Author: Jarkko Sakkinen <jarkko@kernel.org>
Date: Mon Apr 29 16:27:54 2024 -0400
tpm: Store the length of the tpm_buf data separately.
TPM2B buffers, or sized buffers, have a two byte header, which contains the
length of the payload as a 16-bit big-endian number, without counting in
the space taken by the header. This differs from encoding in the TPM header
where the length includes also the bytes taken by the header.
Unbound the length of a tpm_buf from the value stored to the TPM command
header. A separate encoding and decoding step so that different buffer
types can be supported, with variant header format and length encoding.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Štěpán Horáček <shoracek@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-50799
Upstream status: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Tested: by IBM
Build-Info: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=65765912
Conflicts: Code changes necessary to adapt to existing differences to
upstream - no functional change
commit c3dcb058b110d07e56cc8129273e1342905b611c
Add new shash exploiting the HMAC hardware accelerations for SHA224,
SHA256, SHA384 and SHA512 introduced with message-security assist
extension 11.
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Mete Durlu <mdurlu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-52758
commit b42519dbba838c928e82b55f32712fbe3eed2c45
Author: Danny Tsen <dtsen@linux.ibm.com>
Date: Thu May 16 11:19:57 2024 -0400
crypto: ppc/curve25519 - Update Kconfig and Makefile for ppc64le
Defined CRYPTO_CURVE25519_PPC64 to support X25519 for ppc64le.
Added new module curve25519-ppc64le for X25519.
Signed-off-by: Danny Tsen <dtsen@linux.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Mamatha Inamdar <minamdar@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
commit dd9af7046d815a4d6ee77c2958d98de2af294309
Author: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Mon, 30 Oct 2023 14:05:15 +0200
Update code comment, self test & healthcheck to use HMAC SHA512,
instead of HMAC SHA256. These changes are in dead-code, or FIPS
enabled code-paths only and have not effect on usual kernel builds.
On systems booting in FIPS mode that has the effect of switch sanity
selftest to HMAC sha512 based (which has been the default DRBG).
This patch updates code from 9b7b94683a ("crypto: DRBG - switch to
HMAC SHA512 DRBG as default DRBG"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
commit a9dc62988600e57cabcca9b357cde4df8ee61fb5
Author: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Mon, 30 Oct 2023 14:05:14 +0200
When originally drbg was introduced FIPS self-checks for all types but
CTR were using the most preferred parameters for each type of
DRBG. Update CTR self-check to use aes256.
This patch updates code from 541af946fe ("crypto: drbg - SP800-90A
Deterministic Random Bit Generator"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
commit 7ee44f1b59df29419e1bfdfd118fbcdd83c5398c
Author: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Mon, 30 Oct 2023 14:05:13 +0200
drbg supports multiple types of drbg, and multiple parameters of
each. Health check sanity only checks one drbg of a single type. One
can enable all three types of drbg. And instead of checking the most
preferred algorithm (last one wins), it is currently checking first
one instead.
Update ifdef to ensure that healthcheck prefers HMAC, over HASH, over
CTR, last one wins, like all other code and functions.
This patch updates code from 541af946fe ("crypto: drbg - SP800-90A
Deterministic Random Bit Generator"), but is not interesting to
cherry-pick for stable updates, because it doesn't affect regular
builds, nor has any tangible effect on FIPS certifcation.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
Conflicts:
crypto/ahash.c skip hunk in crypto_clone_ahash. Function
does not exist because of missing backport of upstream
ed3630b83e93 ("crypto: hash - Add crypto_clone_ahash/shash")
commit c7535fb2ddf695fbb8b2c2b935307e33556082de
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 20 Apr 2023 18:05:16 +0800
As ahash drivers may need to use fallbacks, their state size
is thus variable. Deal with this by making it an attribute
of crypto_ahash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
Conflicts:
crypto/crypto_engine.c code change in crypto_pump_requests.
Just moving more code into the else block of the if-else
statement that is being introduced in the upstream patch.
Needed due to missing backport of upstream commit
bcd6e41d9836 ("crypto: engine - Remove prepare/unprepare request")
commit e5e7eb023f24653b07329162b6359283b3a03a20
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Sun, 13 Aug 2023 14:54:49 +0800
Rather than having the callback in the request, move it into the
crypto_alg object. This avoids having crypto_engine look into the
request context is private to the driver.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
commit 45c461c503a7a12f4c5efaff289be17a442aeefe
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Sun, 13 Aug 2023 14:54:41 +0800
Create crypto/internal/engine.h to house details that should not
be used by drivers. It is empty for the time being.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
commit 68021dee251e72d87ebbf052acf69b3217c11383
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Sun, 13 Aug 2023 14:54:36 +0800
The engine file does not need the actual crypto type definitions
so move those header inclusions to where they are actually used.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-34947
commit 1730c5aa3b158b15af567eb3aae84f5cf6ca66f2
Author: Prabhjot Khurana <prabhjot.khurana@intel.com>
Date: Wed, 20 Oct 2021 11:35:34 +0100
Add KPP support to the crypto engine queue manager, so that it can be
used to simplify the logic of KPP device drivers as done for other
crypto drivers.
Signed-off-by: Prabhjot Khurana <prabhjot.khurana@intel.com>
Signed-off-by: Daniele Alessandrelli <daniele.alessandrelli@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Charles Mirabile <cmirabil@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-38173
CVE: CVE-2023-52813
commit 8f4f68e788c3a7a696546291258bfa5fdb215523
Author: Lu Jialin <lujialin4@huawei.com>
Date: Mon Sep 4 13:33:41 2023 +0000
crypto: pcrypt - Fix hungtask for PADATA_RESET
We found a hungtask bug in test_aead_vec_cfg as follows:
INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call trace:
__switch_to+0x98/0xe0
__schedule+0x6c4/0xf40
schedule+0xd8/0x1b4
schedule_timeout+0x474/0x560
wait_for_common+0x368/0x4e0
wait_for_completion+0x20/0x30
wait_for_completion+0x20/0x30
test_aead_vec_cfg+0xab4/0xd50
test_aead+0x144/0x1f0
alg_test_aead+0xd8/0x1e0
alg_test+0x634/0x890
cryptomgr_test+0x40/0x70
kthread+0x1e0/0x220
ret_from_fork+0x10/0x18
Kernel panic - not syncing: hung_task: blocked tasks
For padata_do_parallel, when the return err is 0 or -EBUSY, it will call
wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal
case, aead_request_complete() will be called in pcrypt_aead_serial and the
return err is 0 for padata_do_parallel. But, when pinst->flags is
PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it
won't call aead_request_complete(). Therefore, test_aead_vec_cfg will
hung at wait_for_completion(&wait->completion), which will cause
hungtask.
The problem comes as following:
(padata_do_parallel) |
rcu_read_lock_bh(); |
err = -EINVAL; | (padata_replace)
| pinst->flags |= PADATA_RESET;
err = -EBUSY |
if (pinst->flags & PADATA_RESET) |
rcu_read_unlock_bh() |
return err
In order to resolve the problem, we replace the return err -EBUSY with
-EAGAIN, which means parallel_data is changing, and the caller should call
it again.
v3:
remove retry and just change the return err.
v2:
introduce padata_try_do_parallel() in pcrypt_aead_encrypt and
pcrypt_aead_decrypt to solve the hungtask.
Signed-off-by: Lu Jialin <lujialin4@huawei.com>
Signed-off-by: Guo Zihua <guozihua@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-32199
Upstream Status: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Note: The core of this patch was already backported in commit 0d33f8e1f3.
And later commit a9e6d7970e back ported cifs part. This patch tries
to back port the remaining parts which doesn't have conficts. This
change is easing code reading and understanding, not related to
functionality or features, hence leave those parts to module developer
to back port when dependency is met.
commit de4eda9de2d957ef2d6a8365a01e26a435e958cb
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Thu Sep 15 20:25:47 2022 -0400
use less confusing names for iov_iter direction initializers
READ/WRITE proved to be actively confusing - the meanings are
"data destination, as used with read(2)" and "data source, as
used with write(2)", but people keep interpreting those as
"we read data from it" and "we write data to it", i.e. exactly
the wrong way.
Call them ITER_DEST and ITER_SOURCE - at least that is harder
to misinterpret...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Baoquan He <bhe@redhat.com>
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/3870
```
JIRA: https://issues.redhat.com/browse/RHEL-25845
Upstream Status: merged into the linux.git
Adjust DH algorithm implementation for FIPS certification
requirements. Add a pair-wise consistency test (PCT) per
SP800-56Arev3, 5.6.2.1.4. Add a panic on a failed test.
Add a boot-time test for the ffdhe2048(dh) template.
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
```
Approved-by: Clemens Lang <cllang@redhat.com>
Approved-by: Herbert Xu <zxu@redhat.com>
Merged-by: Lucas Zampieri <lzampier@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-25845
Upstream Status: RHEL only
The below patch from Nicolai is not going to be accepted upstream.
Add a panic on a failed test per FIPS certification requirement.
From: Nicolai Stange <nstange@suse.de>
Date: Tue, 30 Nov 2021 16:51:12 +0100
Subject: [PATCH] crypto: dh - implement FIPS PCT
References: jsc#SLE-21132,bsc#1191256
Patch-mainline: Never, not upstreamable
SP800-56Arev3, 5.6.2.1.4 ("Owner Assurance of Pair-wise Consistency")
requires that a pair-wise consistency check needs to be conducted on a
keypair. A pair-wise consistency test (PCT) is meant to ensure that a
some provided public key is indeed associated with the given private one.
As the kernel's DH implementation always computes the public key from the
private one, this is guaranteed already as per the API. However, in the
course of the certification process, there had been a lengthy discussion
regarding this topic, with the result that a PCT is nonetheless mandatory.
Simply implement a PCT for DH and move on. As mandated by SP800-56Arev3,
5.6.2.1.4, the PCT involves recomputing the public key and comparing it
against the one under test.
Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-25845
Upstream Status: merged into the linux.git
Conflicts: a missing upstream patch 65c92cbb3f23 ("crypto:
tcrypt - fix return value for multiple subtests"). Change
a test function call to a previous form.
commit 43a7885ec0dfca2bdc60f2de736e55cf5e7b915d
Author: Vladis Dronov <vdronov@redhat.com>
Date: Thu Feb 29 18:36:03 2024 +0100
crypto: tcrypt - add ffdhe2048(dh) test
Commit 7dce59819750 ("crypto: dh - implement ffdheXYZ(dh) templates")
implemented the said templates. Add ffdhe2048(dh) test as it is the
fastest one. This is a requirement for the FIPS certification.
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-25845
Upstream Status: merged into the linux.git
commit f66a211e8c5d9b1b0531364c1b16874b0499e0d2
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Wed Feb 21 13:19:15 2024 +0800
crypto: dh - Make public key test FIPS-only
The function dh_is_pubkey_valid was added to for FIPS but it was
only partially conditional to fips_enabled.
In particular, the first test in the function relies on the last
test to work properly, but the last test is only run in FIPS mode.
Fix this inconsistency by making the whole function conditional
on fips_enabled.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/3755
JIRA: https://issues.redhat.com/browse/RHEL-17113
Upstream Status: RHEL only
CVE: CVE-2023-6240
The decryption and signing capabilities are never used within the
kernel. However, they are exposed to user-space through the keyctl
system call.
As these operations may cause security issues, disable them by
stubbing out the relevant entry points.
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
Approved-by: Vladis Dronov <vdronov@redhat.com>
Approved-by: John B. Wyatt IV <jwyatt@redhat.com>
Merged-by: Lucas Zampieri <lzampier@redhat.com>
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/3617
```
JIRA: https://issues.redhat.com/browse/RHEL-20145
Upstream Status: 19 commits are merged into the linux.git
1 RHEL-Only commit with configs
Backport Intel Analytics Accelerator (IAA) Compression Accelerator
crypto driver with the upstream v6.7 code. All the commits apply
cleanly, no conflicts, no changes vs the upstream.
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
```
Approved-by: Phil Auld <pauld@redhat.com>
Approved-by: Jerry Snitselaar <jsnitsel@redhat.com>
Approved-by: Herbert Xu <zxu@redhat.com>
Merged-by: Scott Weaver <scweaver@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-24869
Upstream Status: merged into herbert/cryptodev-2.6.git
commit e8829ef1f73fa4051a936ab9f0204195dae4ef2b
Author: Joachim Vandersmissen <git@jvdsn.com>
Date: Sat Feb 3 01:19:59 2024 -0600
crypto: rsa - restrict plaintext/ciphertext values more
SP 800-56Br2, Section 7.1.1 [1] specifies that:
1. If m does not satisfy 1 < m < (n – 1), output an indication that m is
out of range, and exit without further processing.
Similarly, Section 7.1.2 of the same standard specifies that:
1. If the ciphertext c does not satisfy 1 < c < (n – 1), output an
indication that the ciphertext is out of range, and exit without further
processing.
This range is slightly more conservative than RFC3447, as it also
excludes RSA fixed points 0, 1, and n - 1.
[1] https://doi.org/10.6028/NIST.SP.800-56Br2
Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-24869
Upstream Status: merged into the linux.git
commit d872ca165cb67112f2841ef9c37d51ef7e63d1e4
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date: Mon Oct 30 12:02:59 2023 +0300
crypto: rsa - add a check for allocation failure
Static checkers insist that the mpi_alloc() allocation can fail so add
a check to prevent a NULL dereference. Small allocations like this
can't actually fail in current kernels, but adding a check is very
simple and makes the static checkers happy.
Fixes: 6637e11e4ad2 ("crypto: rsa - allow only odd e and restrict value in FIPS mode")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-24869
Upstream Status: merged into the linux.git
commit 6637e11e4ad22ff03183da0dbd36d65c98b81cf7
Author: Mahmoud Adam <mngyadam@amazon.com>
Date: Tue Jun 13 16:17:31 2023 +0000
crypto: rsa - allow only odd e and restrict value in FIPS mode
check if rsa public exponent is odd and check its value is between
2^16 < e < 2^256.
FIPS 186-5 DSS (page 35)[1] specify that:
1. The public exponent e shall be selected with the following constraints:
(a) The public verification exponent e shall be selected prior to
generating the primes, p and q, and the private signature exponent
d.
(b) The exponent e shall be an odd positive integer such that:
2^16 < e < 2^256.
[1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-17113
Upstream Status: RHEL only
CVE: CVE-2023-6240
The decryption and signing capabilities are never used within the
kernel. However, they are exposed to user-space through the keyctl
system call.
As these operations may cause security issues, disable them by
stubbing out the relevant entry points.
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-20145
Upstream Status: merged into the linux.git
commit 2ec6761df889fdf896fde761abd447596dd8f8c2
Author: Tom Zanussi <tom.zanussi@linux.intel.com>
Date: Tue Dec 5 15:25:27 2023 -0600
crypto: iaa - Add support for deflate-iaa compression algorithm
This patch registers the deflate-iaa deflate compression algorithm and
hooks it up to the IAA hardware using the 'fixed' compression mode
introduced in the previous patch.
Because the IAA hardware has a 4k history-window limitation, only
buffers <= 4k, or that have been compressed using a <= 4k history
window, are technically compliant with the deflate spec, which allows
for a window of up to 32k. Because of this limitation, the IAA fixed
mode deflate algorithm is given its own algorithm name, 'deflate-iaa'.
With this change, the deflate-iaa crypto algorithm is registered and
operational, and compression and decompression operations are fully
enabled following the successful binding of the first IAA workqueue
to the iaa_crypto sub-driver.
when there are no IAA workqueues bound to the driver, the IAA crypto
algorithm can be unregistered by removing the module.
A new iaa_crypto 'verify_compress' driver attribute is also added,
allowing the user to toggle compression verification. If set, each
compress will be internally decompressed and the contents verified,
returning error codes if unsuccessful. This can be toggled with 0/1:
echo 0 > /sys/bus/dsa/drivers/crypto/verify_compress
The default setting is '1' - verify all compresses.
The verify_compress value setting at the time the algorithm is
registered is captured in the algorithm's crypto_ctx and used for all
compresses when using the algorithm.
[ Based on work originally by George Powley, Jing Lin and Kyung Min
Park ]
Signed-off-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/3412
```
JIRA: https://issues.redhat.com/browse/RHEL-15640
Depends: !3350
Omitted-Fix: 586d492f2856 Intentionally omitted as they are for
Omitted-Fix: 8ae8a494eae4 unrelated code
Upstream Status: 73 commits are merged into the linux.git
1 last commit is from herbert/cryptodev-2.6.git
Update QAT drivers upto the upstream v6.7 fixing important bugs.
Bring in unrelated commits to make include/linux/units.h equal
to the upstream one. Bring in unrelated keembay and ixp4xx commits
to make a clean move drivers/crypto/ -> drivers/crypto/intel/.
Almost all the commits apply cleanly, no conflicts, no changes vs
the upstream. The following commits have conflicts explained in
the commit messages:
- units: Add BYTES_PER_*BIT
- crypto: keembay - Move driver to drivers/crypto/intel/keembay
- crypto: ixp4xx - Move driver to drivers/crypto/intel/ixp4xx
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
```
Approved-by: Herbert Xu <zxu@redhat.com>
Approved-by: Tony Camuso <tcamuso@redhat.com>
Approved-by: John W. Linville <linville@redhat.com>
Signed-off-by: Scott Weaver <scweaver@redhat.com>
JIRA: https://issues.redhat.com/browse/RHEL-11887
Upstream Status: RHEL Only
This reverts commit 8ab5e75853.
Note: This is not a straight revert as additional commits changed the "if
(fips_enabled)" line. The change has been reverted appropriately to
reflect the new if statement.
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
CKI Backport Bot
Jan Stancek
Marcin Juszkiewicz
Maurizio Lombardi
Augusto Caringi
Nigel Croxon
Herbert Xu
Rado Vrbovsky
Mamatha Inamdar
Jeff Moyer
Štěpán Horáček
Mete Durlu
Charles Mirabile
Baoquan He
Lucas Zampieri
Vladis Dronov
Scott Weaver
Prarit Bhargava